Redesigning UNIX Redesigning UNIX for for ReliabilityReliability
ContentsContents
Overview. Proposed System. Why do Operating Systems Crash? What is OS Reliability ? Operating System Design. Proposed Design Principles. MINIX 3 Our Reliable UNIX. Architecture of MINIX 3. MINIX 3 Reliability Features. MINIX 3 Performance. Conlusion. References.
Overview Proposed System Why do Operating Systems Crash? What is OS Reliability ? Operating System Design. Proposed Design Principles. MINIX 3 Our Reliable UNIX Architechure of MINIX 3 MINIX 3 Reliability Features MINIX 3 Performance Conlusion References
OverviewOverview
OOperating system are suppose to function perating system are suppose to function flawlessly flawlessly but but OSes OSes like like MS MS Windows Windows , , Linux,Mac etc fail to do so.Linux,Mac etc fail to do so.
TThese hese OS OS have have majority majority of of their their code code in in Kernel,and Kernel,and any any bug bug can can trash trash entire entire system.They system.They violate violate Principle Principle of of Least Least Authorization.Authorization.
Proposed SystemProposed System
IIt t dive dive into into a a UNIXlike UNIXlike system system called called MINIX MINIX 3 3 , , with with entire entire operating operating system system running running as as tightly tightly restricted, restricted, independent,user mode processes.independent,user mode processes.
TThis his structure structure with with mechanism mechanism for for transparent recovery from crashes results transparent recovery from crashes results in in highly highly reliable,multiserver reliable,multiserver OS OS which which looks looks and and feels feels like like most most successful successful UNIX. UNIX.
Why do Operating System Crash ?
Why do Operating System Crash ?Why do Operating System Crash ?
Reason Reason for for Operating Operating System System Crashes Crashes can can be be track track backed backed to to two two basic basic design design flaw:flaw:
OOS S core core modules modules shares shares too too much much privileges.privileges.
LLack ack of of fault fault isolation isolation among among OS OS core core modules.modules.
Other factors> Other factorsOther factors
MMost ost users users allow allow third third party party drivers drivers to to be loaded into the OS core.be loaded into the OS core.
DDevice drivers are written by programmers evice drivers are written by programmers working for the peripheral manufacturer.working for the peripheral manufacturer.
EEven ven in in an an opensource opensource effort,it effort,it is is not not necessarily coded experienced volunteer.necessarily coded experienced volunteer.
MMost ost errors errors are are due due to to programming programming bugs bugs ,studies ,studies have have shown shown there there are are 1 1
16bugs per 1000 lines of code.16bugs per 1000 lines of code. What is OS Reliability ?What is OS Reliability ?
Operating System DesignOperating System Design
We aim at reliability,lets look at how We aim at reliability,lets look at how the choice of OS kernel design affect the choice of OS kernel design affect reliability.reliability.
Two typical kernel design options are:Two typical kernel design options are:
MMonolithic Kernelonolithic Kernel
MMicro Kernelicro Kernel
Monolithic KernelMonolithic Kernel
Problem with Monolithic KernelProblem with Monolithic Kernel
NNo proper isolation of faults.o proper isolation of faults. AAll ll codes codes runs runs at at highest highest privilege privilege levels.levels. HHuge amount of code imply many bugs.uge amount of code imply many bugs. UUntrusted,third party code in Kernel.ntrusted,third party code in Kernel. HHard to maintain due to complexity.ard to maintain due to complexity. KKernel is assumed to be perfect code.ernel is assumed to be perfect code. FFundamental undamental desing desing requires requires 3 3rd party party driver to be inserted into the kernel.driver to be inserted into the kernel.
MicroKernel DesignMicroKernel Design
Why a Microkernel Design?Why a Microkernel Design?
IIt t consist consist of of bare bare mechanism mechanism but but no no policy.policy. KKernel ernel just just provides provides mechanism mechanism of of interrupt handler ,scheduler,MMU,IPC.interrupt handler ,scheduler,MMU,IPC. SStd td OS OS functionality functionality like like device device drivers,file system,network server,high drivers,file system,network server,high level level memory memory management management runs runs as as separate separate process process in in a a private private address address space.space. FFunctionality unctionality communicates communicates among among them them with with kernel kernel IPC IPC than than shared shared virtual virtual address space.address space. Microkernel is ReliableMicrokernel is Reliable
IIn n userspace userspace operating operating system system are are restricted to what they can do.restricted to what they can do. KKernel ernel exports exports kernel kernel calls calls to to only only those those OS OS task task that that are are authorized authorized to to call.call. DDevice evice drivers drivers have have no no privileges privileges to to perform perform I/O I/O directly directly but but can can request request kernel.kernel. AAll ll IPC IPC is is done done by by exchanging exchanging small small fixed fixed size size messages,kernel messages,kernel checks checks the the call call being being requested requested to to see see if if its its authorized.authorized. Proposed Design PrinciplesProposed Design Principles
SSimplicity.implicity.
MModularity. odularity.
LLeast Authorization.east Authorization.
FFault tolerance.ault tolerance.
SimplicitySimplicity
WWe e keep keep our our system system as as simple simple as as possible possible so that is easy to understand.so that is easy to understand. TThis his design design avoids avoids problems problems of of resource resource exhaustion.exhaustion. IIf f needed needed we we compromise compromise performance performance for for reliability.reliability. IIn n kernel kernel we we statically statically declare declare all all the the datastructres datastructres even even though though it it waste waste memory,it is much simpler to manage.memory,it is much simpler to manage. WWe e deliberately deliberately not not implement implement multi multi threading,so threading,so that that we we can can avoid avoid race race
conditions,may with cost of performance.conditions,may with cost of performance. ModularityModularity
WWe e split split our our system system into into collection collection of of independent modules.independent modules. TThis his builds builds a a firewall firewall across across modules modules so so that that errors errors can't can't propagate propagate to to other other modules.modules. WWe e have have reduced reduced interdependencies interdependencies among among modules modules so so that that failure failure of of one one doesn't doesn't affect others.affect others. egeg:File :File System System is is depends depends on on device device drivers drivers but but its its designed designed in in such such a a way way
that that its its prepared prepared to to handle handle driver driver failure.failure. Least AuthorizationLeast Authorization
AA fault fault in in powerful powerful module module can can bring bring down down entire entire system,so system,so we we reduce reduce the the privileges privileges of of all all the the process process including including servers and drivers.servers and drivers. KKernel ernel maintains maintains a a bit bit map map that that governs governs who can do what.who can do what. FFor or eg:The eg:The allowed allowed kernel kernel call call map map and and list list of of permitted permitted message message desti desti nations,this nations,this information information is is in in each each process process table table entry entry and and initialized initialized at at boot time set by sys admin.boot time set by sys admin.
Fault ToleranceFault Tolerance
WWe have explicitly designed our system to e have explicitly designed our system to withstnad failures.withstnad failures. AAll ll server server and and drivers drivers are are monitered monitered by by special special server server called called reincarnation reincarnation server.server. IIf system process unexpectedly exits,this f system process unexpectedly exits,this is found by RS and process is restarted.is found by RS and process is restarted. SStatus tatus of of each each system system process process is is period period ically ically checked checked to to see see if if its its still still work work ing,if not malfuctioning server/driver is ing,if not malfuctioning server/driver is killed and restarted.killed and restarted.
FFault is detected,rectified on the fly.ault is detected,rectified on the fly. MINIX 3 our Reliable UNIXMINIX 3 our Reliable UNIX
Andrew S. Tanebaum and R&D students. UNIX Clone. POSIX Compliant. Microkernel based. Full Multiuser. Multiprograming. Fault tolerant. Open Sourced GPL/BSD. Single chip/low powered devices. Embbeded Systems.
Education. Architecture of MINIX 3
The KernelThe Kernel
TThe kernel consist of under 4000 lines of he kernel consist of under 4000 lines of executable executable code code (LoC),which (LoC),which makes makes easy easy for us to understand and use verification for us to understand and use verification tools.tools.
TThe he kernel kernel is is responsible responsible for for low low level level operations operations such such as as programming programming the the CPU,MMU,interrupt handling and IPC.CPU,MMU,interrupt handling and IPC.
KKernel ernel contains contains two two tasks tasks namely namely SYS SYS and and CLOCK to support the usermode part of the CLOCK to support the usermode part of the system.system. The Kernel (continued)The Kernel (continued)
KKernel ernel maintains maintains list list and and bitmaps bitmaps to to restrict restrict the the power power of of all all system system process,like process,like IPC IPC destination,kernel destination,kernel calls allowed,I/O ports,IRQ lines,memory calls allowed,I/O ports,IRQ lines,memory regions.regions.
PPolicies are set by the RS and enforced olicies are set by the RS and enforced by kernel at runtime.by kernel at runtime.
Kernel IPCKernel IPC
KKernel IPC eliminates the need for dynamic ernel IPC eliminates the need for dynamic allocation of resources.allocation of resources.
TThe he standard standard requestreply requestreply is is rendez rendez vous,if vous,if the the destinations destinations is is not not waiting waiting IPC IPC REQUEST REQUEST blocks blocks the the sender sender until until IPC IPC REPLY has been sent,receiver is blocked on REPLY has been sent,receiver is blocked on IPC SELECT,when no IPC is available.IPC SELECT,when no IPC is available.
MMessages essages are are never never buffered buffered in in kernel kernel ,but ,but copied copied from from sender sender to to receiver receiver speeding speeding up up the the IPC IPC eliminating eliminating buffer buffer overruns.overruns. Kernel IPC (continued)Kernel IPC (continued)
FFor special events IPC NOTIFY primitive or special events IPC NOTIFY primitive can be used to send non blocking can be used to send non blocking notification messages.notification messages.
int notify(endpoint_t dest);
int receive(endpoint_t src, message *m_ptr);
int send(endpoint_t dest, message *m_ptr);
System Task (SYS)kernel spaceSystem Task (SYS)kernel space
IIt t is is the the interface interface to to the the kernel kernel for for all all usermode usermode servers servers and and drivers drivers that that requried lowlevel kernel operation.requried lowlevel kernel operation.
AAll ll kernel kernel calls calls in in system system library library are are transformed into request message sent to transformed into request message sent to SYS,which handles if caller authorized.SYS,which handles if caller authorized.
KKernel ernel calls calls handled handled by by SYS SYS can can be be grouped grouped into into process process ,memory ,memory and and interrupt management,device I/O and interrupt management,device I/O and clock services.clock services.
Clock Task (CLOCK)kernel spaceClock Task (CLOCK)kernel space
IIt t is is responsible responsible for for accounting accounting CPU CPU usage,scheduling when quantum expires,usage,scheduling when quantum expires, managing managing watchdog watchdog timers timers and and interacting interacting with hardware clock.with hardware clock. CClock lock registers registers an an interrupt interrupt handler handler ,that is run on every clock tick.,that is run on every clock tick. IISR SR for for clock clock only only increments increments the the CPU CPU usage usage and and decrements decrements the the scheduling scheduling quantum.quantum. SSYS YS provides provides interface interface from from CLOCK CLOCK to to servers and drivers. servers and drivers. User Space ServersUser Space Servers
TThe size of the servers approximately he size of the servers approximately range from 10003000 LoC /server,which range from 10003000 LoC /server,which helps us in understanding.helps us in understanding. TThis extends the UNIX philosophy of his extends the UNIX philosophy of limited responsibility and power to OS limited responsibility and power to OS desing level.desing level. WWe here implement POSIX comformant,multi e here implement POSIX comformant,multi server operating system.server operating system. SServers and and drivers cooperate using ervers and and drivers cooperate using kernel IPC to provide the functionality kernel IPC to provide the functionality of ordinary UNIX. of ordinary UNIX.
User Space servers (continued)User Space servers (continued)
PM (Process manager)PM (Process manager)
MM (Memory manger)MM (Memory manger)
FS (File System)FS (File System)
DS (Data Store)DS (Data Store)
RS (Reincarnation Server)RS (Reincarnation Server)
Process ManagerProcess Manager
TTogether with FS,PM implements the POSIX ogether with FS,PM implements the POSIX interface.interface. PPM M is is responsible responsible for for process process mana mana ment,such ment,such as as creating creating and and removing removing processes,assig processes,assig ning ning process process ID ID and and priorities priorities and and flow flow of of execution,also execution,also responsible for POSIX signaling.responsible for POSIX signaling. PPM implements all the process management M implements all the process management policies,for policies,for kernel kernel all all process process are are the the same,all same,all it it does does is is to to schedule schedule the the highest priority ready process.highest priority ready process.
Memory ManagerMemory Manager
TTo o allowing allowing porting,we porting,we make make use use of of hardwareindependent segmented memory.hardwareindependent segmented memory. EEach process has text that can be shared ach process has text that can be shared with with process process that that execute execute the the same same program.program. SSystem ystem process process can can be be granded granded to to acess acess aditional memory like video memory.aditional memory like video memory. TText segments of all process are RDONLY.ext segments of all process are RDONLY. SStack tack and and Data Data segments segments are are not not executable.executable.
MMM M maintains maintains the the list list of of free free memory memory region.region. File ServerFile Server
IIt t is is an an ordinary ordinary file file server server that that handles handles the the POSIX POSIX calls calls like like read(),open(),write(),etc.read(),open(),write(),etc. FFile system blocks are buffered into FS's ile system blocks are buffered into FS's buffer cache.buffer cache. CCaches are periodically written to disk.aches are periodically written to disk. CCurrent urrent MINIX MINIX 3 3 support support only only one one File File system,VFS system,VFS (Virtual (Virtual File File system),is system),is on on the the way,that way,that supports supports multiple multiple file file systems.systems.
Data StoreData Store
SSmall mall data data base base server server with with publish publish subscribe functionality.subscribe functionality. SSystem ystem process process use use DS DS to to store store data data privately.privately. AA restarting restarting system system server server can can use use DS DS to restore its state back.to restore its state back. IIt t is is glue glue between between OS OS components components ,producer ,producer can can publish publish data data with with an an ID,and consumer can subscribe to events ID,and consumer can subscribe to events by producer with the ID.by producer with the ID.
Reincarnation ServerReincarnation Server
IIt t is is the the central central component component responsible responsible for managing all OS server and drivers.for managing all OS server and drivers. TThere here is is policy policy script script associated associated with with each driver and servers.each driver and servers. AA utility called service. utility called service. RS adopts all process in boot image as RS adopts all process in boot image as child.child. RRS does a periodic check on driver/server S does a periodic check on driver/server SStatus tatus request request from from drivers/server drivers/server are are nonblocking.nonblocking. RRS replace malfunctioning task with fresh S replace malfunctioning task with fresh one.one. Device driversDevice drivers
IIn MINIX 3 we have ATA,SATA,floppy and n MINIX 3 we have ATA,SATA,floppy and RAM disk ,keyboard,display drivers etc.RAM disk ,keyboard,display drivers etc. EEach driver in MINIX 3 runs as a user ach driver in MINIX 3 runs as a user process ,preventing the fault from process ,preventing the fault from spreading.spreading. NNot all bugs can be cured by restarting ot all bugs can be cured by restarting the failed drivers,but certain bugs the failed drivers,but certain bugs only requires a only requires a restart.restart. WWell more can be set in the policy ell more can be set in the policy script,to be set up in the event of script,to be set up in the event of driver crash.driver crash. MINIX 3 Reliability FeaturesMINIX 3 Reliability Features
Reducing the Number of kernel bugs. Reducing the bug power. Recovering from failures. Limited Buffer Overruns. Ensuring Reliable IPC Restricting IPC Avoiding Deadlocks. Restricting Driver functionality. Denying Access to I/O ports. Parameter Checking Catching bad pointers. Taming Infinite Loop.
Reducing the Number of kernel bugsReducing the Number of kernel bugs
WWe have tiny kernel,with almost 4000LoC e have tiny kernel,with almost 4000LoC ,which is well understood,when compared ,which is well understood,when compared to 2.5 million LoC of Linux.to 2.5 million LoC of Linux.
MMore chances of finding bugs.ore chances of finding bugs.
MMore code mean more bugs,1 16bugs per ore code mean more bugs,1 16bugs per 1000lines.1000lines.
Reducing the Bug powerReducing the Bug power
WWhen bug is triggered the effect would hen bug is triggered the effect would be be less less devastating devastating by by converting converting it it into usermode bug than kernel mode bug.into usermode bug than kernel mode bug. egeg:User mode sound driver that tries to :User mode sound driver that tries to dereference a bad pointer is killed by dereference a bad pointer is killed by RS RS server,causing server,causing sound sound to to stop stop while while rest of the system running.rest of the system running. AA similar similar kernel kernel mode mode sound sound driver,the driver,the dereferencing is allowed which may over dereferencing is allowed which may over write write the the stack stack return return address,causing address,causing entire system to crash.entire system to crash.
Recovering From failuresRecovering From failures
SServers ervers and and drivers drivers are are forked forked by by system system process process called called reincarnation reincarnation server.server.
IIf at all server/driver terminates this f at all server/driver terminates this is notified to RS,as it is the parent.is notified to RS,as it is the parent.
RRS polls the children periodically.S polls the children periodically.
MMonolithic onolithic systems systems doesn't doesn't have have method method to detect faulty drivers on fly.to detect faulty drivers on fly. Limiting Buffer OverrunsLimiting Buffer Overruns
BBuffer overflow is heavily exploited by uffer overflow is heavily exploited by viruses and worms.viruses and worms. OOur ur system system provides provides a a prevention prevention for for this than cure.this than cure. SSince ince our our kernel kernel is is static static alloc alloc ation,problem doesn't affect kernel.ation,problem doesn't affect kernel. OOur system only allows execution of code ur system only allows execution of code in RDONLY text segment.in RDONLY text segment. OOur ur stack stack and and datasegment datasegment is is not not executable.executable.
WWorst case is overwriting return address orst case is overwriting return address in stack.in stack. Ensuring Reliable IPCEnsuring Reliable IPC
OOur ur synchronous synchronous message message passing passing mechanism mechanism is is redezvous redezvous which which enables enables buffering and buffer management.buffering and buffer management.
IIf receiver is not waiting SEND blocks f receiver is not waiting SEND blocks the caller,same with receiver.the caller,same with receiver.
AAsynchronous method is NOTIFY.synchronous method is NOTIFY.
WWe e make make use use of of short short fixed fixed sized sized messages,thus messages,thus buffer buffer management management is is easy.easy. Restricting IPCRestricting IPC
IIPC must be tightly controlled,our rePC must be tightly controlled,our re dezvous mechanism can be used hang the dezvous mechanism can be used hang the system with deadlock.system with deadlock. IIPC PC primitive primitive called called SENDREC,which SENDREC,which combines combines send send and and receive receive in in and and single call.It blocks the caller until single call.It blocks the caller until reply is received.reply is received. SSENDREC ENDREC is is the the only only method method that that ordinary process can use.ordinary process can use. KKernel ernel maintains maintains a a bit bit map map per per
process. process. Avoiding DeadlocksAvoiding Deadlocks
IIPC PC is is synchronous synchronous SEND SEND and and RECEIVE RECEIVE done simultaneously deadlock.done simultaneously deadlock. UUser process only SENDREC() to serversser process only SENDREC() to servers which provides POSIX service.which provides POSIX service. WWe e make make use use of of NOTIFY() NOTIFY() to to send send message from kernel space to userspacemessage from kernel space to userspace which is non blocking.which is non blocking. NNotification otification is is stored stored in in destination destination process table entry until RECEIVE.process table entry until RECEIVE.
Restricting Driver FunctionalityRestricting Driver Functionality
KKernel exports limited functions.ernel exports limited functions. KKernel maintains a bit map of calls a ernel maintains a bit map of calls a driver can call.driver can call. SSome drivers need only read() call,and ome drivers need only read() call,and would would never never need need a a write(),allowing write(),allowing write() to these drivers is a risk.write() to these drivers is a risk. IIn monolithic kernel any one is allown monolithic kernel any one is allow ed ed to to call call any any procedure,even procedure,even write write into other ports.into other ports.
Denying Acess to IO portsDenying Acess to IO ports
FFor each driver kernel maintains list or each driver kernel maintains list of of ports,the ports,the driver driver is is privileged privileged to to use.use. RRead ead and and write write access access is is protected protected separately,process separately,process with with rdonly rdonly try try to to do write is returned an error.do write is returned an error. OOnly nly kernel kernel is is allowed allowed to to do do IO IO operations.operations. WWe e do do compromise compromise reliability reliability over over performance.performance.
Parameter CheckingParameter Checking
WWell a complete parameter checking is ell a complete parameter checking is not possible.not possible. BBut ut kernel kernel can can block block when when a a driver driver tries tries to to write write a a block block of of data data using using physical addressing.physical addressing. BBut ut with with a a virtual virtual addressing addressing kernel kernel can't tell if its a valid address,but can't tell if its a valid address,but atleast it can check if the address is atleast it can check if the address is valid within users address space.valid within users address space. MMonolithic any thing is possible.onolithic any thing is possible.
Catching Bad PointersCatching Bad Pointers
CC/C++ /C++ programs programs suffer suffer from from great great pointer errors.pointer errors. DDereferencing ereferencing a a bad bad pointer pointer leads leads to to segmentation fault.segmentation fault. IIn our design a bad pointer issue done n our design a bad pointer issue done by by a a driver driver / / server server would would be be killed killed and core would be dumped.and core would be dumped. TThus hus RS RS restarts restarts the the Killed Killed driver driver / / servers.servers.
Taming Infinite LoopTaming Infinite Loop
WWhen a driver is stuck in an infinite hen a driver is stuck in an infinite loop it consumes too much CPU time.loop it consumes too much CPU time. SScheduler notice this and reduce the cheduler notice this and reduce the priority until it becomes idle.priority until it becomes idle. SSince driver would stop responding to ince driver would stop responding to RS,RS reads the policy script and RS,RS reads the policy script and either restarts it or do as in policy either restarts it or do as in policy script.script. IIn monolithic entire system hangs.n monolithic entire system hangs.
MINIX 3 PerformanceMINIX 3 Performance
MMeasuring the performance is bit tricky.easuring the performance is bit tricky.
RRunning benchmarks on MINIX 3 other clones unning benchmarks on MINIX 3 other clones like BSD or Linux would have helped.like BSD or Linux would have helped.
BBut ut these these kernels kernels have have been been compiled compiled with with different different compilers compilers and and follow follow different different algorithms for memory / filesystem etc.algorithms for memory / filesystem etc.
SSo o benchmarks benchmarks were were conducted conducted with with two two systems that differ only in one parameter.systems that differ only in one parameter. MINIX 3 Performance (continued)MINIX 3 Performance (continued)
WWe compared the benchmarks run on MINIX 2e compared the benchmarks run on MINIX 2 which is a hybrid microkernel with drivers which is a hybrid microkernel with drivers in the kernel.in the kernel.
AAll the test were conducted in 2.2GHz.ll the test were conducted in 2.2GHz.
System Call performanceSystem Call performance
Table 1:System call times for kernel call vs user mode drivers ,unit of µs. Application test ResultsApplication test Results
Table 2:Run times in seconds for various test programs first two test where run repeatedly in a loop while others once to exclude the effect of cache. Summery of PerformanceSummery of Performance
RReading and writing are 8% slower in eading and writing are 8% slower in MINIX 3 due to extra two messages and MINIX 3 due to extra two messages and two context switches for user mode two context switches for user mode drivers.drivers. TThe getpid() call a simple call from he getpid() call a simple call from user process to process manager takes user process to process manager takes 180 ns more in MINIX 3 than MINIX 2.180 ns more in MINIX 3 than MINIX 2. AAverage performance hit in application verage performance hit in application testing were 6%.testing were 6%. FFor reliability we pay a performace loss or reliability we pay a performace loss of 510%.We consider it a price payingof 510%.We consider it a price paying..
ConclusionConclusion
To achieve reliability design was guided by simplicity,modularity,POLA and fault tolerance.An understandable kernel means fewer kernel bugs,most part of operating system works as a isolated process in userspace.Servers and drivers are monitored by a special server called RS,for the reduction of operating system crashes we may 510% performance loss.Drivers and other components are not rendered bug free but the effect bugs is reduced.
Concluding,we have seen operating system reliablitly can be improved with careful desigin even at cost of performance.
References [1] T.J. Ostrand and E.J. Weyuker. The Distribution of Faults in a Large Industrial Software System. In Proc.of the 2002 ACM SIGSOFT Int’l Symp. on Software Testing and Analysis, Pages 55–64,8696. ACM, 2002.
[2] V. Basili and B. Perricone. Software Errors and Complexity: An Empirical Investigation.Commun. of the ACM, 21(1):42–52, Jan. 1984.
[3] A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An Empirical Study of Operating System Errors. InProc. 18th ACM Symp. on Oper. Syst. Prin., pages 73–88, 2001.
[4] A. Bricker, M. Gien, M. Guillemont, J. Lipkis, D. Orr, and M. Rozier. A New Look at MicrokernelBased UNIX Operating Systems: Lessons in Performance and Compatibility. In Proc. EurOpen Spring 1991 Conf., pages 13–32, May 1991.
[5] D. Cheriton. The V Kernel: A Software Base for Distributed Systems. IEEE Software, 1(2):19–42, Apr 1984. 6th Symp. on Oper. Syst. Design and Impl., pages 17–30, Dec. 2004.
[6] Herder, J.N., Bos, H., Tanenbaum, A.S.: A Lightweight Method for Building Reliable Operating Systems Despite Unreliable Device Drivers. In: Technical Report IRCS018[www.cs.vu.nl/»jnherder/ircs 018.pdf], Vrije Universiteit (2006).
[7] Jorrit N. Herder,Herber Bos,Ben Gras,Philip Homburg and Andrew S. Tanenbaum: MINIX 3 A highly reliable,Self Repa ring Operating System ,Vrije University.
[8] Jorrit N. Herder,Herber Bos,Ben Gras,Philip Homburg and Andrew S. Tanenbaum.Reorganizing UNIX for Reliability,Computer Science Dept.,Vrije University Amsterdam
[9] Andrew S. Tanenbaum,Albert S. Woodhull, The MINIX book,Operating System Design and Implimentation Third edition
Computers are like air conditioners, Computers are like air conditioners, they stop working once youthey stop working once you Open Open Windows Windows
Thank you ;)